There’s this German word I love: Schadenfreude. It’s one of those weird words that doesn’t really have a direct English translation, but it roughly means taking joy at other people’s misfortune. It basically describes how I feel about what’s been happening to Ashley Madison recently.

Ashley Madison, for those not in the know, is a dating site that focused on facilitating extra-marital affairs. It can be thought of as the Facebook of philandering, with over 37 million registered, adulterous users. As is so often the case with dating websites, the overwhelming majority of their subscribers (between 90 and 95 percent) were men.

Here’s where the schadenfreude kicks in. They were recently hacked by Impact Team – an otherwise unknown band of hackers – who threatened to leak their entire database unless the cheating website (and companion sites Established Men and Cougar Life) was shut down.

Avid Life Media, who own Ashley Madison, refused to comply. Earlier this morning, 9GB of data from the site was dumped onto a Tor darknet website. It contained everything. Not just usernames and emails, but also internal emails, corporate documents sexual preferences, biographical data, and even GPS locations. Ouch.

Going through a dump… This wasn't a database hack. This was full scale pwnage of the entire company. Domain hashes, internal docs galore.

If you were caught up in the Ashley Madison leak, allow me to express a sincere and Nelson Muntz-like haw haw. I must admit, I’m not terribly sympathetic. But still, as a security writer I feel obliged to tell you a few things.

Change Your Passwords

Ashley Madison were thoroughly and utterly owned. There’s no escaping that. But I should give them credit for having some pretty sensible security procedures.

The amount of sheer computational power required to break a bcrypt password is immense. That means if you used a secure, complex password, the odds of it being decrypted are relatively slim. But if you use a common or weak password, you should expect your password to be soon become public knowledge.

Either way, you’d be advised to change your passwords on any sites where you used your Ashley Madison password and never use it again.

Think About Credit Cards

Included in the data dump were records of financial transactions dating back to 2007. These included names, street addresses, emails, amounts paid, but not entire credit card numbers. Each of these records contains a four digit number that’s largely assumed to be either a transaction code, or the last four credit card numbers.

This in itself isn’t that much of a problem. There’s not a lot you can do with the last four digits of a credit card. But some companies do allow you to verify your identity with it.

You might remember in 2012 when Wired columnist Mat Honan had his entire digital life eviscerated. Everything from his Apple mail, to his Google accounts. Even his Macbook and iPhone were remotely wiped.

This was made possible because Apple allowed people to authenticate with only the billing address, and the last four digits of a registered credit card.

It might be a bit paranoid. Hell, I’ve often been accused of being such. But if I got caught up in the Ashley Madison hack, I’d immediately cancel my card, and disassociate it from any of my online accounts.

Expect To Be Punished

Here, I really want to stress something. If you were caught up in the Ashley Madison hack, you should realize that private, intimate details about your life and sexual preferences have been made public. What was once personal is now open for the world to see. That’s just something you have to deal with.

It’s worth pointing out that when dating websites have been hacked in the past, it then resulted in the users being vigorously and thoroughly trolled, and their digital lives being flipped upside down.

When 4chan denizens hacked an unnamed Christian social network in 2009, they were able to make off with emails and passwords. These were then used to gain access to Facebook accounts, where the hackers then posted obscene, racist or lewd messages to embarrass the owners.

I didn’t agree with that then, and I wouldn’t agree with it now. That said, it wouldn’t be remotely surprised if something similar happened this time.

According to CSO Online, about 14,000 US government and military emails were found in the dump. British daily The Telegraph has said there were scores of .gov.uk emails. If you were one of them, don’t be surprised if you get in hot water with your employers.

By now, odds are pretty high that there are some tabloid hacks sifting through the leaked dump, probably with the help of someone who knows SQL. They’ll be looking for celebrities and politicians. If you are a public figure and used Ashley Madison, you can pretty much expect to be thoroughly and publicly disgraced.

As anyone who’s read Jon Ronson’s magnificent So You’ve Been Publicly Shamed (or, for that matter, watched his latest TED talk) knows, we all share an incredible capacity for collective outrage and public shaming.

Start Making Amends

If you were on Ashley Madison, it’s safe to say you’re probably in a bit of hot water at home. That’s bad news for you, but great news for a few other people:

The Ashley Madison hack will be really bad for a lot of people.
Great for divorce lawyers and florists though!

It’s Going To Get Messier

At the time of writing, the Ashley Madison dump has been online for about 12 hours. It’s still very early days. I predict that in the week to come, we’ll see a lot more public embarrassment. A lot more marriages ended, and careers disrupted. It’s going to get messy, indeed.

Already, we’ve seen sites that facilitate access to the leaked data. There’s ashmadlookup.com, which simply confirms whether an email was in the database.

There’s also haveibeenpwned.com, who are taking a slightly different approach. Here, the data is only accessible for those who have verified their email address with them, due to the incredibly sensitive nature of the data.

So, what advice does Impact Team have for you?

“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”

You can’t argue with that. Ashley Madison systematically failed to protect their customers. I don’t doubt they’ll find themselves in court in the months to come.

Over To You

Were you impacted by the Ashley Madison breach? Do you know someone who was? Want to talk about it? Drop me a comment below, and we’ll chat.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Mihir Patkar

August 30, 2015 at 2:15 pm

I don't really have a problem with the article's base premise, but I do question the advice later, especially since the earlier security-related advice seems logical. Emailed apology? Flowers? Check into hotel rooms? You're talking about two people's lives here and being far too frivolous about it. The article was great till that part.

Yeah, I'm talking about people's lives. But the woman (Ashley Madison was almost entirely male) will almost certainly be better off with someone who knows the meaning of the word "fidelity", and the guy is a scumbag for cheating.

It doesn't really seem necessary to the article, is my point. I can see why one throwaway line would be worth it. To have a whole section, with 4 paragraphs, two photos, one tweet, and one video, seems "far too" frivolous, not just frivolous/flippant/callous/adjective.

My larger point is, it's fun to sit in judgement, but there are different avenues to express those. I'm all for you voicing these opinions on your personal Twitter/blog/FB. I did too. I chuckled through some of the snipes and cracks in the early paragraphs because, like with a well-written monologue, it delivered an important message with a dose of humour.

But that entire "What you should do" was wholly unnecessary in what is, till then, a solid article. As someone who shares your opinion about cheating being incredibly assholic, it was disappointing to see you demean the gravity of the situation.

Some of those families might have kids involved. Some might have extreme financial problems, or several other reasons where a split isn't possible. The victim (for lack of a better term) knows that being with someone who will honour fidelity is better, but there can be a lot of reasons due to which splitting up isn't an option.

My biggest problem is this: Ashley Madison trivialized infidelity and made it frivolous. Unfortunately, that's what you did with that section too, imo.

You say you are a security writer and "But I should give them credit for having some pretty sensible security procedures." which would indicate that AM was doing things fairly well (obviously not well enough especially after finding out they were a target of the Action Team). Yet you seem to have no sympathy for AM or their customers which is confirmed when you said "If you were caught up in the Ashley Madison leak, allow me to express a sincere and Nelson Muntz-like haw haw. I must admit, I’m not terribly sympathetic." Nice.

And then you say
"You can’t argue with that." to the Impact Team's "Learn your lesson and make amends".

Sorry, I can argue with that.

The Impact Team went way out of their way to get into other people's business and expose that to the entire world. To my mind, that is so much worse than what probably 90% of the AM customers were up to.

And, in this day & age, people won't be able to just "get over it" as the team directs since the info will be on the internet and it is possible that every potential employer or friend or date will search these people's names and be shown articles that say they were AM customers back in 2015.

As a security writer you should focus on the technology rather than glaze over it and you should be outraged about the hack. Most of your advice to AM customers was condescending.

The tone of this article has obviously left a foul taste in my mouth. All I can say is I think I'd rather go for coffee with any of the AM customers rather than this writer. The writer has taken the same attitude to the AM users as the Action Team has taken. (I say, keep the attitude inside your own church on Sundays.)

I am not an AM client and happen to be faithful to my spouse but I am finding so many people enjoying their Schadenfreude at the expense of average, normal, people who had the misfortune of having a website they joined being hacked by holier-than-thou a-holes. The penalty they will each pay is pretty harsh compared to their "sins" or compared to the penalty paid by 99.99% of the people through history who have, or wanted to have, done the same sin.

This comment is ridiculous. You focus on a hack team that exposed cheaters, instead of the real issue at hand.

"normal, people who had the misfortune of having a website they joined being hacked"

a misfortune? really? You actually believe they "accidentally" joined a website the sole purpose of which is to find "a mate" to cheat with? Jeez... if their email just happened to be there, it cause them to issues as they would easily prove it to their loved ones.

You do realize this business was created specifically to make as much money as possible on infidelity. The more infidelity there is, the more money they make. Even their headline incentivized people to cheat: "Life is too short. Have an affair." Wow, just wow.

AM knew about the hack and refused to shut down. Why? Because they could care less about their clients. Because they know there would still be some who wouldn't know about the hack who would gladly pay them to use the service. This is a very sad premise to start and run a business.

And most importantly, even though they could, hackers didn't demand ransom from subscribers. All they asked for was to shut down a service that promotes and incentivizes cheating....

Moral of the story: do not cheat! and if you can't, don't get married. simple as that. really. And any legitimate company would have not only prevented this hack, but also made sure their clients didn't have to suffer the consequences.

Before engaging in holier-than-thou condemnation of alleged Ashley Madison clients, you should read Guy McDowell's article on Internet Mob Justice.

I see that your favorite physical exercise is jumping to conclusions. It seems that quite a few email addresses were in the Ashley Madison database without their owner's knowledge, meaning that they WERE NOT clients/philanderers. Security experts still have not established the veracity of the hack.

As a security writer you should be very concerned about what the Ashley Madison hack means to the rest of the Internet. Which site is next? What group with an ax to grind will be the next to expose millions of people to public shaming? Earth Liberation Front? Animal Liberation Front? The jihadists? GreenPeace? Is your life so free of skeletons that it can stand the scrutiny by any and all wacko groups out in the wild? Actually, it does not matter. Your name, rank and serial number could be stolen and included on a hit list just to make it larger.
BTW - have you checked whether any of your email addresses are among the 9GB of data dumped unto the darknet?

If you are married you have made a vow to your spouse, to be faithful (In Christian terms that means the ONE and only). Single men or women, well maybe. It's still pretty risky to have multiple sexual partners, diseases and all. Come on there's still Hepatitis C etc see here. http://www.cdc.gov/std/

Since I recently found out that there is an extra-marital affair dating site that is actually run by a Private Investigator this is going to become more interesting.

I'm not a cheater.
I have been cheated on.
I'm only a little conflicted about this, on the one hand it's like shining a light on cockroaches, on the other hand another blow to the illusion that there is still such a thing as privacy.

Like the author, I feel morally split by this. On the one hand, the site's whole ethos is reprehensible. So are the majority of its users (although, to be fair, some of them may be in open partnerships, using Ashley Madison with the full knowledge and support of their partners). But something deeply private and personal has been made public, for millions of people, for the sake of making a point - and that was more reprehensible still. It's the hackers who emerge from this with the lowest moral standing, I feel. The same could have been achieved - if it had to be achieved at all - with a much smaller release of data.

I have no doubt whatsoever that this signals the commercial end of Ashley Madison. No-one's going to use them again, and the class-action impact will be financially lethal. But all that really does is to open the market to competitors, to fill the gap they left.

I love the how the wide paint brush has been applied here that everyone who uses Ashley Madison were all adulterous. Let's not even discuss that there were a large contingent of folks who used the site to have one-offs with other singles without a full relationship (so as to avoid those on "other" sites), and people in open relationships.

Matthew Hughes is a software developer and writer from Liverpool, England. He is seldom found without a cup of strong black coffee in his hand and absolutely adores his Macbook Pro and his camera. You can read his blog at http://www.matthewhughes.co.uk and follow him on twitter at @matthewhughes.